Advice through experience in Office 365, Security, and Azure
Email Phishing Protection Guide – Part 1: Customize Office 365 Logon Portal

Email Phishing Protection Guide – Part 1: Customize Office 365 Logon Portal

The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.

Email Phishing Protection Guide Index:

Introduction: Email Phishing Protection Guide – Enhancing Your Organization’s Security Posture

Part 1: Customize the Office 365 Logon Portal

Part 2: Training Users with the Office 365 Attack Simulator

Part 3: Deploy Multi Factor Authentication (MFA)

Part 4: Deploy Windows Hello

Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services

Part 6: Deploy Outlook Plug-in to Report Suspicious Emails

Part 7: Deploy ATP Anti-Phishing Policies

Part 8: Deploy ATP Safe Link Policies

Part 9: Deploy ATP Safe Attachment Policies

Part 10: Deploy and Enforce Smart Screen for Microsoft Edge, Microsoft Internet Explorer and Google Chrome

Part 11: Monitor Phishing and SPAM Attacks in Office 365

Part 12: Discover Who is Attacking Your Office 365 User Identities

Part 13: Update Your User Identity Password Strategy

Part 14: Prevent Brute Force and Spray Attacks in Office 365

Part 15: Implement the Microsoft Azure AD Password Protection Service (for On-Premises too!)

Part 16: Disable Office 365 Legacy Email Authentication Protocols

Part 17: Control Application Consent Registrations in Microsoft Office 365 and Microsoft Azure

Part 18: Increase Security with Microsoft Secure Score

Part 19: Email Phishing Protection Security Checklist

Part 20: Recommended Security and Anti-Phishing Training from Microsoft Ignite 2018

Part 1: Customize the Office 365 Logon Portal

As the first part of this blog series with advice about how to enable and adjust features in Microsoft Office 365 to defend against phishing email attacks, we’ll start with an element of what I call the Human Firewall. Let’s consider this one of the many locks I am highlighting that can be implemented to raise the security posture of your organization.
Humans are creatures of habit. We don’t think much about opening a tablet or laptop to logon with a username/password or using Windows Hello with a fingerprint, facial recognition, etc. We are conditioned to do this each day at the same familiar prompts. With even the slightest change to this conditioned action, we would most likely recognize it and stop. We would stop and consider that something is different, something is not right, and then figure out what it is. This is part of the Human Firewall – making the user stop, think about what he or she is doing, and to be skeptical when things no longer look quite right. Being skeptical is part of an employee awareness program I highlight in the next blog of this guide.

Remember that part of the evolving phishing attacks include trying to trick your users into providing their username and password in a fake website. These fake websites can look very similar to the real one, fooling even the most skeptical person. If we, as system administrators, change the Microsoft Office 365 logon screen with a customized background and logo, users would be conditioned to seeing this and not think much of it each time they logon. However, they would see a difference in a fake website designed to look like the standard/default Office 365 logon page. This subtle difference is enough to make the user recognize that something is different, determine it is a fake site, and prevent he or she from entering a username and password to an attacker.

I have advised a large number of customers and Microsoft partners to customize their logon portal and have heard from several that users can now easily recognize a fake site. One person shared with me a story of how she was on a phone call in one conversation, Instant Messaging in another conversation, and in another thread responding to an email request from her HR department to update her personal profile online. Even while in the middle of doing these different things, having the company portal customized with their logo was what stopped her from entering logon credentials. After clicking on what seemed like a legitimate email from HR, she was taken to what looked like a normal Office 365 portal, she paused and realized it was a fake site only because she was so used to seeing her company background image and logo on the screen. This is a great example about how our conditioning as humans was interrupted – something was different that makes us stop and analyze the situation. The Human Firewall.

I have outlined the steps below about how you can easily modify your logon site and encourage you to do so. Once customized, be sure to communicate this new screen to all of your users through an internal awareness campaign of emails, lunch and learn sessions, newsletter articles, etc. Make users aware that you are modifying the logon page and why. Reiterate why you are taking this action as part of a security awareness training program. Will this prevent all identities from being stolen? No, but it will certainly help and is one of the many locks you can use to further secure your organization.

To customize the Microsoft Office 365 logon portal for your organization, follow the steps below:

  1. With a Global Administrator account, logon to
  2. On the left side of the screen, select Azure Active Directory

  3. Then, select Company Branding

  4. With Company Branding now selected, the Default profile is displayed to the right. Click Default to open the settings.

  5. Here, you will see the options available to define the background image, your organization’s logo, and customized text for the logon screen. When choosing a background image, consider using a picture of your organization headquarters, a picture of a product you make, a picture of the city skyline or downtown that is closest to you. Make it something that is easy to identify and means something to your organization. Make it something that, if it was ever changed, would prompt your users to stop and become skeptical of the logon site.

  6. As an example, I chose to use a customized background picture I took a few years ago of Waikiki Beach along with the company logo for my demonstration company, Contoso. Note that the pictures you use must follow the file size and type guidelines provided for each field.

  7. When ready, select the Save option on the top of the screen. Then, log off of this session and close the browser.

    Note: In my setup it took about ten minutes for the new background image to appear during logon. Be sure to wait enough time before testing this setting.

  8. As you open a new browser to log back in to, notice that the first logon screen remains the same. Until a username is entered, the system does not know who you are from the millions of other users across the globe. It is only at the second screen where a password is entered that the logon background image and logo has now changed.

    Picture below is of the first logon screen at

    Picture below is of the second logon screen that is now customized (notice the logo and background image)


    Keep in mind that users are often the last line of defense in safeguarding your organization’s identities and data. We are all human and mistakes do happen where a user can be tricked into providing his or her credential to an attacker. Since there is no technology by any vendor(s) who will provide 100% security on your network, we are often left with only the Human Firewall standing in the way. The more ways you can raise awareness and strengthen your Human Firewall, the more protected you and your organization will be.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: